Cybersecurity continues to rise up the board agenda across India Inc: Survey

EY’s Global Information Security Survey

With one of the highest number of cyber threats detected in India, and the country ranking second in terms of targeted attacks, cybersecurity has become a boardroom concern for organizations across verticals, revenue bands and geographies, cites EY’s Global Information Security Survey (EY GISS) 2018-19 – India edition. The report was launched in New Delhi today in the presence of Dr. Gulshan Rai, Cyber-Security Chief, Prime Minister’s Office, Government of India.

The latest EY GISS India edition captures responses of 230 C-suite leaders representing India’s most recognized organizations with revenues ranging from less than USD 10 million to over USD 10 billion.

In India, while 62% of the boards are taking active steps to strengthen their cyber security understanding only 46% of boards or executive management teams have a comprehensive understanding of information security to fully evaluate cyber risks and related preventive measures. The interest in cybersecurity reporting at board level has grown from attempts to understand technology to the point where boards now have a fiduciary responsibility to manage cybersecurity risk. However, only in 30% of organizations surveyed, board members are taking an ultimate responsibility for cybersecurity.

Speaking at the launch of the report, Dr. Gulshan Rai, Cyber-Security Chief, Prime Minister’s Office, Government of India said, “As we accelerate towards becoming a trillion-dollar digital economy, building the right framework for cyber resilience and security is critical for the country. The need of the hour is to enable and foster a cyber-secure culture and ecosystem. The Government on its part has taken a number of initiatives in this direction; however, the involvement of each citizen and all organizations to make it a collective and coordinated movement is must for the success of the cyber secure eco system.”

Commenting on the findings, Burgess Cooper, Partner – Cyber Security, EY India said, “In comparison to the previous years, organizations are planning to spend more on cybersecurity, devoting more resources for improving their defences, and working harder to embed security-by-design. With the rise in digital movement and subsequent exponential increase in data generation, there is a growing realization that security is also about maintaining the continuity of business operations — and not restricted to only security of data and privacy.”

The survey highlights that while 70% of Indian organizations plan to increase their cybersecurity budgets, only 19% have a sufficient budget to provide the levels of cybersecurity and resilience as required. Furthermore, the survey reveals that 69% of organizations are still spending a very limited portion of their overall IT budget on cybersecurity with lower level of awareness of where their most critical information and assets are, and inadequate safeguards to protect these assets.

The survey highlights major challenges that limit the value delivery as well as the operational effectiveness and efficiencies of the information security function –

  • While 56% of the organizations consider cyber security as an integral part of their strategy and plans, skills shortage has emerged as a key overarching problem wherein even organizations from relatively well-resourced sectors are struggling to recruit the talent they require
  • 69% of organizations say their information security function is at least partially meeting their needs, and 70% of the organizations agree that their information security function needs improvement
  • 32% respondents have cited careless or unaware employees as their topmost vulnerability with the most increased risk exposure, over the last 12 months
  • 46% of respondents have no program – or an informal program – for one or more of the following – threat intelligence, vulnerability identification, breach detection, incidence response, data protection and identity and access management.

Sector insights:

  • 87% of the organizations in the Technology sector, and 70% of the organizations in the telecom sector regard careless employees as the most likely source of attack
  • 84% of Consumer products and Retail brands do not have a functional Security Operations Centre (SoC) which reflects that nearly half of the companies are unable to detect the occurrence of a cyber-attack. Additionally 90% them do not have a direct representation for information security at the board level
  • 25%-50% of additional funding is required over existing security budget to better protect against emerging threats by 100% of Telecom organizations, 92% of Technology organizations, and 58% of Power and Utilities organizations. However, 75% of the organizations in the Consumer products and Retail have identified that more than 50% of the additional funding over existing security is required
  • Almost 75% of organizations in the Power and Utilities sector have reported an absence of adequate or formal programs for threat intelligence, vulnerability identification, breach detection and incident response